CyberArk Interview Questions and Answers

Q.1. Define your Current CyberArk Infrastructure?

You should talk about your current infrastructure like how many Vaults are there and if Vaults are
standalone or in HA, then how many PVWAs, CPMs, PSMs, PSMPs, PTA etc.

We should talk about your infra only as the interviewer will be asking the questions on that behalf.

If I must answer this question as per my current environment, then it must have been like:

In our current CyberArk environment, we have:

X no.of Standalone Vaults (One Production Vault and X no.of DR Vaults)

X no.of PVWA Servers…. kind of server (VM / Cloud) and it is Load balancer or not

X no.of PSM Servers …. kind of server (VM / Cloud) and it is Load balancer or not

X no.of CPM Servers …. kind of server (VM / Cloud) and it is Load balancer or not

X no.of PSMP Servers …. kind of server (VM / Cloud) and it is Load balancer or not

We use LDAPs authentication for logging in PVWA

Also tell them how many accounts you manage.

Q.2. Your roles & responsibilities?

Answer this question as per your profile only because the interviewer may ask his next questions on
behalf of your roles & responsibilities.

If I must answer this question, then it must have been like:

My roles & responsibilities are as below:

Working as a Subject Matter Expert (SME) and supporting the project in Operations, Upgrades,
Implementation to ensure smooth operations.

Upgrading CyberArk components if a new version is released which include Vault, CPMs, PVWAs, PSMPs,
AAM, PTA & PSM in HA along with a standalone instance at DR site.
Discussing with various teams which includes windows, Unix, Networking, and security along with
various application team to understand the current privilege accounts being used and understand the
current way how these accounts can be managed.

Customizing CyberArk Connection components and making the necessary changes according to client’s
requirement.

Helping team in resolving any issues related to any CyberArk component.

You can answer these questions as per your profile and your Daily BAU activities. Don’t say anything
apart from it which you don’t know.

Q.3. How to login as a Master User?

To login as a master user, we require following:

- Must know master Password Master Password

- Master CD or Private (RecPrv) key on Vault Server
- Path of private key should be updated in dbparm.ini
- Restart of PrivateArk server if recovery private key path was changed.
- Master user will login from the authorized IP address if defined.

Master user can login ONLY through PrivateArk client using PrivateArk authentication in PRIMARY VAULT
SERVER.

Q.4. How to activate a user if get suspended?

When a user login to CyberArk and type the wrong password then after the 5 wrong attempts, user’s
accounts get suspended, and user can’t login to CyberArk until the account is activated. The default
value is 5 and it can be increased maximum by 99.

To Activate the account:

Login to PrivateArk client using Administrator or any account which have permission Like Administrator
to activate the user account.

- Go to Tools > Users & Groups

- Search for that suspended account
- Click on that account & go to trusted network
- Click on Activate

Now user can login to CyberArk.

Account can only be activated from PrivateArk client not from PVWA.
Q.5. What are the different ways of onboarding an account?

Account can be onboarded using below Methods:

Manually from PVWA

Using Password Upload Utility (PUU)

Auto Detection/Auto Discovery

Rest API (PACLI Scripts)

Q.6. How to increase password retrieval time?

When you try to retrieve the password then there’s a time defined.

Go to Administration > Options > General:

Search for Password Revealing or just go to General settings of PVWA.

Lookout for Password Revealing and increase the time as per the requirements.

Apply Ok.

Increasing the password revealing time totally depends upon your company’s policy. As in Internet
explorer, user can directly copy the password using the copy option but in Google chrome they can’t
copy directly. They need to click on show and then double-click and then copy. When they click on show
then there’s password revealing time start and its default value is 10 seconds.

Q.7. Workflow of PSM Connection?

CyberArk PSM connection workflow:

When a user clicks on Connect option then PVWAApp user go to Vault and fetches the password of
PSMConnect user.

Then PSM logins to respective PSM server using PSMConnect user.

Then PSMGW user fetches the password of target account.

PSM Shadow user connects to the target server with the protocol chosen by the user.

Recording of the session is stored temporarily on PSM and when user disconnects the session then
recording file is uploaded to CyberArk Vault.
And logs are forwarded to configured SIEM (Splunk, ArcSight, QRadar etc.).

To understand the workflow, one must know about the functions of PVWAGW, PVWAApp, PSMAPP &
PSMGW users.

Q.8. Functions of PVWAApp, PVWAGW, PSMAPP, PSMGW Users?

These users are in-built and created when installing PVWA & PSM respectively.

Use of PVWAAPP, PVWAGW, PSMAPP & PSMGW Users:

PVWAApp User: This user is used by PVWA for internal processing. Its’ the only user in the vault who is
responsible for opening the PVWA URL. If this user gets suspended, PVWA URL can’t be accessed.

PVWAGW User: This user is generally used for provisioning the other users to the Vault. If this user gets
suspended, you won’t be able to login to PVWA.

PSMApp User: This user is generally used by PSM for internal processing. It's used to retrieve
configuration from the vault, create recording safes. In new versions, it has the audit and add safes
authorization in the vault.

PSMGW User: This user is a part of PVWAGWaccounts group, so it gets the access to all password
objects. And used by PSM to fetch the target account’s password.

From the above use of these users, you can see how these accounts are used to grant access to vault or
target machine.

Q.9. What are the ports used by CPM to change password?

CyberArk CPM uses different ports for different platforms.

Below are the ports used by CPM for:

Windows Platform: 135, 139, 445

Unix Platform: 22

Database : 1521

For changing the password of windows accounts, CPM uses windows API to connect to that machine
and then using the net user command to change the password, for changing the password of Unix
accounts, it uses plink to connect to Unix and change the password accordingly. (Different flavors of
Linux have different commands to change the password.)

Q.10. Why CPM can’t be load balanced?

CPM is assigned to a safe and in a single safe you may have many accounts.

CyberArk CPM can’t be load balanced because:

There can be multiple passwords out of sync issues. Suppose if CPM is load balanced then any of the
CPM will change or verify the password according to the Master Policy and if it fails to change or verify
and in that case another CPM tries the same thing and it got successful but how the first CPM will
know... It will push change again so in that case there will be lot of out of sync issues.

In simple terms we can say, to avoid split - Brain scenario.

Q.11. How to restrict a LDAP user to use only PSM and PVWA?

To restrict the user to use only authorized interfaces:

- Login to PrivateArk Client:

- Go to Tools > Administrative Tools > Directory Mapping
- Select the Vault User Mapping
- Click on User Template and User Type
- Select Authorized Interfaces
- Choose only those which you want to user to use

If a user uses an unauthorized interface, they will see an authentication failure.

Q.12. Secure RDP Connections to CyberArk PSM Server with SSL ?

On the PSM server, run gpedit.msc to set the security layer:

Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Security.

Open the Security setting, Set client connection encryption level.

In the Options area, from the Encryption Level drop-down list, select High Level.

Click OK to save your settings.

Open the Security setting, Require use of specific security layer for remote (RDP) connections.
In the Options area, from the Security Layer drop-down list select:

Windows 2019 – TLS

Windows 2016 – SSLT

Window 2012 R2 - SSL (TLS 1.0)

For connections with RDP files, specify authentication level:i.

For connections with ActiveX, specify AdvancedSettings4.AuthenticationLevel.

In each active connection component, add a new Component Parameter.

Connections to the PSM require a certificate on the PSM machine. By default, Windows generates a self-
signed certificate, but you can use a certificate that is supplied by your enterprise.

Q.13. How to increase the debug levels for CyberArk Vault & its Components?

- Vault: DebugLevel= PE(1,6), PERF(1),LDAP(14,15)

- CPM: CPM.ini (or via PVWA System Configuration): Upto 6, platformwise, Auto Detection,

- PVWA: Administration Tab > click Options and then Logging:

- DebugLevel=High (None/High/Low)

- InformationLevel=High (None/High/Low)

- The LogFolder parameter in web.config in the IIS PasswordVault folder:

CyberArk.WebApplication.log

CyberArk.WebConsole.log

CyberArk.WebSession..log

PVWA.App.log

PSM: General Settings:

Server Settings TraceLevels=1,2,3,4,5,6,7

Recorder Settings TraceLevels=1,2

Connection Client Settings TraceLevels=1,2

Q.14. How to allow firewall between Vault and a server and how many IPs we can add?

AllowNonStandardFWAddresses is a multiple parameter that can be added to the dbparm.ini multiple

times.
It should be added in dbparm.ini.

Up to 16 IP addresses are allowed.

Vault service must be restarted after changing parameters in the DBParm.ini file

Eg: AllowNonStandardFWAddresses=[1.1.1.1,2.2.2.0-2.2.2.255,3.3.3.0-3.3.3.255,...],Yes,1000:inbound/
tcp

Q.15. How to secure PVWA URL?

Securing any URL, you require an SSL certificate:

Get an SSL certificate containing all the info of your PVWA and if PVWAs are load balanced then it should
have LB info too.

Import the certificate on PVWA server to personal section of computer certificates.

Open IIS settings, edit the bindings and select the SSL cert to 443 and apply.

Reset the IIS

This should be done on all the PVWAs.

Q.16. Can we change the password complexity for one platform?

Yes, you can have different password complexity for every platform.

- Go to Administration > Platform Management

- Edit the platform for which you want to change the password complexity
- Go to Password Management Section & Change
- Set the complexity as per the requirement

Same password complexity should be set on your target server too, otherwise CPM will fail to change
the password.

Q.17. How to apply new patches to Vault?

- Copy the KB file to your Vault Server.

- Enable and start the Windows Update service.
- Enable and start the Windows Module Installer service.
- Navigate to Registry Editor.
- Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver entry.
- Back up the entry.
- Change the value of Start to 3.
- Restart the Vault Server.
Navigate to Services Management and start the Windows Installer service.

Now, Stop the PrivateArk Server & Database service.

Install the Windows patch for the relevant Operating System. Restart the Vault server if requested to.

Verify the KB installed successfully on the server and stop all windows services enabled. You can consult
CyberArk support before patching the Vault as not every patch is applied to Vault servers.

Q.18. Maximum number of transactions that can be received & processed concurrently by the Vault?

The max. number of transactions can be received by Vault can be 9000. And transactions handled
concurrently are around 600 by the Vault.

Q.19. What’s the max. length of username in Vault?

Its 128 characters

Q.20. What’s the difference between MFA and 2FA?

2FA: When two authentication methods are being used to provision the account

2FA requires two authentication credentials—no more, no less.

Every Two-Factor Authentication is Multi-Factor Authentication.

MFA: When two authentication methods or more than 2 are being used to provision the account

2 or 3 credentials, but the only criteria to qualify as MFA is that there is more than one credential
required to confirm a person’s identity.

Not every Multi-Factor Authentication is Two-Factor Authentication.

Q.21. Define CyberArk PSMConnect and PSMAdminConnect?

During PSM installation, the PSMConnect and PSMAdminConnect users are created on the PSM server
machine:

PSMConnect: An account through PSM using a connection method defined in the PVWA. PSMConnect
user is used to start PSM sessions on a PSM Machine.

PSMAdminConnect: PSMAdminConnect user is used to monitor live sessions.

Q.22. Have you heard about CyberArk new feature JIT?

There are cases where managing the local administrator passwords is not possible at the initial stage of
deployment.

Just in Time access can be used as an intermediate step towards full implementation of Vaulting the
local administrators. End user requests access to a designated ad-hoc target machine and is
subsequently added to the local admin groups.

Just in Time access is not supported in a distributed Vaults environment.

Just in Time (JIT) access is available only to users authenticating to the PVWA using LDAP.

Note: You can grant Windows admins on-demand, ad-hoc privileged access to Windows targets for a
limited period (the default is for 4 hours).

Q.23. What’s the Cal License used for?

Interviewer may ask this question to any profile job:

A Client Access License (CAL) Suite is a license provided by Microsoft to RDP to target servers.

CyberArk Privileged Session Manager (PSM) uses these CAL licenses to establish the connections to
target servers.

It’s types: Per Server and Per User.

After installing the PSMs, you can ask the respective team to configure the CAL license on PSM servers
so that connections can be established to target servers via PSMs. It totally depends upon the
company’s policy to have the license per server based or per user based.

Q.24. How PSM stores the session recordings to the Vault?

CyberArk PSM records privileged sessions and stores them in the Vault where they can be viewed at any
time by authorized users.

When you hit the connect button and establish a connection to the target server then the recordings are
stored on a PSM’s recording folder on temp basis and when you disconnect the session. Session
recordings are stored by PSMApp user to respective recording safe in CyberArk vault.

Q.25. What’re LOGON and RECONCILE accounts?

Logon Account: A logon account can be used where direct login of an account is not permitted.

When a logon account is mapped with an account, it will be used to log onto the target server and then
elevate itself to the role of the privileged user.
Reconcile Account: Reconcile account can be used to reset the password of an account when the
password of an account is not known or lost, using an associated reconcile account you can reset the
password.

Logon account is generally used for Unix accounts where the root account is not allowed to login directly
on the server so, logon account is used which may give switch permissions so that after logging to server
using logon account you can switch to root user.

To reset the account’s password, reconcile account must be given necessary permission to reset the
password of any account.

Q.26. What are process and prompt files and used for?

Terminal Plugin Controller (TPC) platform helps you create new CPM plugins using terminal and scripting
languages for terminal-based devices.

TPC plugins are made up of two files that the platform uses to authenticate to target machines:

Prompts: The Prompts file includes a list of conditions. When the plugin runs, TPC matches the
conditions defined in this file to the output (prompts) it received from the target machine.

Process: The Process file includes all the states and transitions that are relevant to the flow.

CyberArk TPC supports plugins that are based on SSH, Telnet, Python, PowerShell, cScript.

Q.27. What’s the use of Quorum disk in CyberArk HA Vault?

When you install CyberArk HA vault Quorum disk is one of the main requirements.

Quorum: It tells the cluster which physical server(s) should be active at any given time. A small disk that
is used to identify the connectivity and availability of the active node.

The Quorum mechanism is used to prevent communication errors from causing split brain scenarios.

Q.28. If you want to apply a new license in your CyberArk Vault – How to do it?

This question can be asked to any profile:

First take a backup of existing license and then just replace it with the new and restart the PrivateArk
Server service.

- Login to CyberArk Vault.

- Go to installed directory > PrivateArk > Server > Conf
- Rename the existing license and take the backup.
- Copy the new license to the same folder and it should be named as “License” and format can
be .xml – License.xml
- Restart the PrivateArk server service and check the logs
If you don’t want to restart the PrivateArk service, then login to PrivateArk client with administrator user
and step into System safe and just replace the new license with the old one. This will be very quick and
there’s no need to restart the service!

Note: New license can be procured from CyberArk professional services based on your requirements
and if new license is not working after successfully replacing with the old, you must reach out to
CyberArk Professional services only.

Q.29. How SIEM integration is done?

When vault to be integrated with SIEM solutions like Splunk, Sentinel, QradaR etc.

We need to make below changes in dbparm.ini file:

- Need to define the IP address of the SIEM tool

- Port
- Translator File path
- Codes
- Legacy Method to receive the Data

After you make changes in dbparm.ini then some changes need to be configured at SIEM server end too
like whitelisting the Prod Vault IP address.

Q.30. If you find there’re more than 5000+ accounts non-compliant then what will be your action?

You can pull out the compliance report and can find out how many accounts are compliant and non-
compliant:

First you can segregate the errors, it might be chance that few accounts might be having same errors, so
segregate the errors.

Make a list of an errors and it might be related to Port not open, firewall blocking the connection, bad
user or password, policy blocking etc.

When you find out the errors then accordingly work on it to open the ports contact the respective team
like for windows, we need 135, 139, 445 and for Unix its 22.

If it’s the bad user or password then check the password complexity and forbidden chars, it should be
same as the server. You can refer the CPM logs and third-party logs to find out the root cause and
accordingly work on the issues and can fix it by using the PUU. When you download the compliance
report you might see some discrepancy in the report like few accounts will be compliant when you
search in CyberArk PVWA, but it is showing non-compliant in report.

Note: Why it’s so? Because when you change the password of an account manually then it might not
show compliant in compliance report. When an account’s password is changed automatically by CPM
then it will show compliant in report.